ci: skip Cloudflare deploy on Dependabot PRs#34
Conversation
GitHub blocks repository secrets from runs triggered by dependabot[bot], so CLOUDFLARE_API_TOKEN is empty and Wrangler fails. The build step still runs as a sanity check that the dependency bump compiles, but the preview deploy and PR comment are skipped for these runs. Unblocks PRs #20-#25 (and any future dependabot website-deps bumps). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Docs PreviewPreview URL: https://chore-dependabot-skip-cf-dep.aeojs.pages.dev This preview was deployed from the latest commit on this PR. |
Greptile SummaryAdds Confidence Score: 5/5Safe to merge — a minimal, well-scoped CI fix with no logic or security concerns. Both changed conditions are identical and correct: No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Workflow trigger] --> B{event_name?}
B -->|push to main| C[Checkout + Build]
B -->|pull_request| D[Checkout + Build]
B -->|workflow_dispatch| E[Checkout + Build]
C --> F[Deploy to Production]
D --> G{actor == dependabot bot?}
E --> H[No deploy steps match]
G -->|Yes| I[Skip Deploy Preview\nSkip Comment Preview URL\n✅ Build ran as sanity check]
G -->|No| J[Deploy Preview\nto Cloudflare Pages]
J --> K[Comment Preview URL on PR]
Reviews (1): Last reviewed commit: "ci(deploy-docs): skip Cloudflare deploy ..." | Re-trigger Greptile |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward CI fix to skip Cloudflare deploy steps on Dependabot PRs where repo secrets aren't available.
Extended reasoning...
Overview
This PR modifies a single GitHub Actions workflow (.github/workflows/deploy-docs.yml) to skip two steps (Deploy Preview and Comment Preview URL) when the PR is authored by dependabot[bot]. It adds an explanatory comment and tightens the existing if: conditions with && github.actor != 'dependabot[bot]'.
Security risks
None. If anything, this is the safer choice: Dependabot-authored runs already cannot read repository secrets by design, and the alternative (Dependabot secrets) would broaden the trust surface for a docs-preview convenience. The github.actor check is evaluated by the Actions runner and not user-controllable from a PR.
Level of scrutiny
Low — CI-only change, no production code paths affected. The Install and build sanity check still runs for Dependabot PRs, so we don't lose build-failure detection on dep bumps.
Other factors
The diff is two-line condition changes plus a comment, both following established Actions patterns. The root-cause analysis in the PR description matches the documented GitHub behavior. No bugs flagged by the bug hunting system.
1 participant
Problem
PRs #20–#25 (all Dependabot website-deps bumps) are blocked on the Deploy Docs to Cloudflare Pages check. Wrangler errors with:
Root cause: GitHub Actions blocks repository secrets from runs authored by `dependabot[bot]` as a security measure. So `secrets.CLOUDFLARE_API_TOKEN` is empty on those runs and the deploy step fails.
Fix
Skip the Deploy Preview and Comment Preview URL steps when `github.actor == 'dependabot[bot]'`. The Install and build step still runs, so we keep the sanity check that the dep bump actually compiles.
Why not pass the token via dependabot secrets?
Could work (`Settings → Secrets → Dependabot`), but it requires duplicating the secret and slightly broadens the trust surface for Dependabot. For a docs preview, it's not worth that — we don't need a per-PR preview from Dependabot bumps.
After this merges
The 6 stuck Dependabot PRs need to either:
🤖 Generated with Claude Code